Ask stories

The idea is generalists know a lot about everything and when to pass it off to a subject matter expert.

In 2025, with everything in tech changing by the minute, I’m realizing I need to set boundaries about how deep I go on any particular topic. But I’m unsure how. Particularly if I don’t want to get left behind as things continue to evolve.

Curious how other folks approach this?

Ever since Anthropic released feature for Claude to create files, https://www.anthropic.com/news/create-files, all my code changes are now generated as files.

This is leading to soooo many issues:

- Numerous file creation/edit failures is wasting tokens and context:

``` Failed to create SidePanel

Strategized file update method using str_replace.

Failed to edit SidePanel ```

- The generated files are laggy to load compared to the previous generated code snippets.

- Overall worse experience

Anyone else experiencing this? I have just disabled the file generation feature

Recent ["self-propagating NPM malware"](https://news.ycombinator.com/item?id=45260741) reminds us that the predominant security model is basically whack-a-mole: you gotta trust _every_ piece of software you run (including all the libraries, plugins, etc), unless you explicitly sandbox it.

Capability-based security might offer an alternative: software should not have access to things when it's not explicitly provided with access. I.e. "classic" desktop security is kind of a blacklist model (everything is possible unless explicitly restricted e.g. via sandbox) while capbility-based security is like a whitelist.

On a programming language level it's usually known as object-capability model, and there's a number of programming languages which implement it: https://en.m.wikipedia.org/wiki/Object-capability_model

The question: why isn't it more popular? It doesn't even seem to be widely known, let alone used. (Aside from isolated examples.)

Is there any chance it would be widely adopted?

I guess one objection is that people don't want to manually configure security. But perhaps it can be integrated into normal UX if we really think about it: e.g. if you select a file using a system-provided file picker it would automatically grant access to that file, as access is explicitly authorized.

I signed up for Cloudflare's Business plan and paid for a year in advance. While adding a new domain I made a typo and now the subscription is stuck in a limbo.

I can't change the domain without contacting their support or paying another $2400. When I open a support ticket, their portal shows 'Unable to find your account' and tells me to open another support request for it.

All support tickets are closed automatically by their "AI" which points to the same article that says open a ticket.

Is shaming them on Twitter my only option left?

Demo broke us: Datastripes stalled on a 200MB sheet.

Fix = rip logic into WASM analytical DB (<3 duckDB), wire workers with synced message channels, cut the overhead. Parsing + aggregation now run parallel, no BS.

Benchmarks: 500MB ingested in ~2s Charts on 100k+ rows live Plain i7, 16GB RAM

Basically spreadsheets at GPU-speed, no GPU. Play with it: https://datastripes.com

At least a 256x256x256mm print volume. Needs to be enclosed or enclosable. Need to be able to print with more durable, temperature/chemical resistant materials such as PC/Nylon/ABS or infused materials. I do not need to print multi material models. I would prefer something that doesn't phone home and can work offline. Opensource firmware/software and repairability are important.

I am ok assembling the machine and learning how to dial it in. I can do CAD work and make models by hand; I was a machinist in a past life. But, I am not very familiar with 'slicer' software yet.

I'm trying to get a Wikipedia page for Single File Web Apps approved (https://en.wikipedia.org/wiki/Draft:Single_File_Web_Apps), and I'm trying to find good examples of Single File Web Apps (web apps that are just a single HTML file). Please comment if you know of any.

I'm consulting for a US-only startup that has approximately 2000 sellers. We don't yet facilitate payments on site because we are worried about not being sales tax compliant. But now we're thinking about biting the bullet.

Assuming we sell into all states and that our transaction volume will reach $10 million USD, what would be the cost of calculating, collecting, and remitting sales tax to the relevant states, counties, and cities?

Assume too that we only sell one type of product (i.e. we are a specialist marketplace not a general one).

It might be worth separating into setup and recurring costs.

Any surprises in store? Or recommendations in terms of tooling or vendors?

I'm a software dev, and I feel like I can do more in this world than be a crud-monkey for a Fortune 500 company. However, most of the problems that I see in the world don't seem solvable through software. Does anyone else have this problem? Are there obvious outstanding problems that can be solved through software? If there are, who are the people solving these problems?

it seems there is a quite a bit of gap between the performance of Rust iterator and C++ ranges/views unless I am missing something.

https://godbolt.org/z/v76rcEb9n https://godbolt.org/z/YG1dv4qYh

Rust: <code> use std::time::Instant;

fn expand_iota_views(input: &[i32]) -> impl Iterator<Item = i32> + '_ { input .iter() .flat_map(|&n| 1..=n) .flat_map(|n| 1..=n) .flat_map(|n| 1..=n) }

fn main() { let input: Vec<i32> = (0..=50).collect();

    let sample_result: Vec<i32> = expand_iota_views(&input).collect();
    println!("Rust Result count: {}", sample_result.len());

    let start = Instant::now();
    let mut total_count = 0;
    for _ in 0..1000 {
        let result = expand_iota_views(&input);
        total_count += result.count();
    }
    let duration = start.elapsed();

    println!("Rust Total count (1000 iterations): {}", total_count);
    println!("Rust Total time: {} microseconds", duration.as_micros());
    println!(
        "Rust Average per iteration: {:.2} microseconds",
        duration.as_micros() as f64 / 1000.0
    );

Output: Rust Result count: 292825 Rust Total count (1000 iterations): 292825000 Rust Total time: 1025 microseconds Rust Average per iteration: 1.02 microseconds

C++: <code> #include <chrono> #include <iostream> #include <numeric> #include <ranges> #include <vector>

inline auto expandIotaViews(const std::vector<int>& input) { auto iota_transform = [](const int number) { return std::views::iota(1, number + 1); };

    return input 
                | std::views::transform(iota_transform) 
                | std::views::join 
                | std::views::transform(iota_transform) 
                | std::views::join
                | std::views::transform(iota_transform) 
                | std::views::join;

int main() { std::vector<int> input(51); std::iota(input.begin(), input.end(), 0);

    auto sample_result = expandIotaViews(input);
    std::vector<int> result_vec;
    for (auto val : sample_result) {
        result_vec.push_back(val);
    }

    std::cout << "C++ Result count: " << result_vec.size() << std::endl;

    auto start = std::chrono::high_resolution_clock::now();
    size_t total_count = 0;
    for (int i = 0; i < 1000; ++i) {
        auto result = expandIotaViews(input);
        total_count += std::ranges::distance(result);
    }
    auto end = std::chrono::high_resolution_clock::now();
    auto duration =
        std::chrono::duration_cast<std::chrono::microseconds>(end - start);

    std::cout << "C++ Total count (1000 iterations): " << total_count
              << std::endl;
    std::cout << "C++ Total time: " << duration.count() << " microseconds"
              << std::endl;
    std::cout << "C++ Average per iteration: " << duration.count() / 1000.0
              << " microseconds" << std::endl;

    return 0;

Output: C++ Result count: 292825 C++ Total count (1000 iterations): 292825000 C++ Total time: 174455 microseconds C++ Average per iteration: 174.455 microseconds

Hey HN,

I’m a pentester and recently came across a new Mirai-based botnet called Gayfemboy (yes, the name sounds like a meme, but the threat is real). It’s currently infecting over 15,000 devices daily, mostly targeting routers and network gear from Cisco, TP-Link, DrayTek, and Raisecom.

What it does:

Launches DDoS attacks (UDP, TCP, ICMP) Mines Monero using XMRig Acts as a proxy for malicious traffic Installs backdoors and evades analysis (e.g., UPX header tampering, nanosecond delays)

Vulnerabilities exploited (At this moment):

CVE-2025-20281 (Cisco ISE) CVE-2023-1389 (TP-Link AX21) CVE-2020-8515 (DrayTek) CVE-2024-7120 (Raisecom MSG)

Mitigation ideas I’m testing:

Scanning client networks for vulnerable firmware Blocking known malicious domains and IPs at the firewall level Writing scripts to detect outbound traffic to those IOCs Recommending disabling remote admin access on routers I’d love to hear what others are doing to detect or contain this botnet. Has anyone seen it in enterprise environments? Any creative or effective mitigation strategies you’d recommend?

A lot of repos are being under attack where branches are being created under the name [REDACTED] to trigger GH actions and send all secrets to a webhook website. This is new and here is an example:

[REDACTED]

Just search on github and you will see planty repos.

I'm doing a presentation on the dot com boom/bust and wanted a screenshot of the web site. I can't seem to find anything on the web.

Accessing google.com in Lynx now shows:

  Google
  Update your browser
  Your browser isn't supported anymore. To continue your search, upgrade to a recent version. [Learn more]

I'm a top hacker for Cloudflare and the continuous declining level of their bug bounty assessment has made me very concerning.

I submitted an 1-click Account Takeover on their VIP program, apart the previous ones which were assessed as High Severity. But the recent one is downgraded to Low Severity due to phishing, even when the High Severity issue also required phishing. I mean 1-click ATO do require phishing bro.

This is the second incident after their publicly acked mishandled triaging of https://blog.cloudflare.com/unauthorized-issuance-of-certificates-for-1-1-1-1

I do not know what's happening to them, but they are declining to provide answers, even privately/publicly. Also, they publicly boasts of their new VIP program: https://blog.cloudflare.com/cisa-pledge-commitment-bug-bounty-vip/#the-vip-programs-new-enhanced-reward-structure but when submitting this recent report to it, they forwarded it to the public program.

I just learned an expensive lesson and wanted to share it here so others don’t make the same mistake.

I recently lost $300 because of an API key leak. It started with a surprise $200 charge from Google Cloud, and when I looked into it, I found another $100 charge from the day before. Both were for Gemini API usage that I never intentionally set up.

After digging, I discovered the issue: I had hard-coded an API key in a script that was part of a feature I ended up deprecating. The file was only in the codebase for two days, but that was enough for the key to leak. Google actually sent me alerts about unusual activity, but I missed them because they went to a less-frequently-checked email account.

Here’s what I learned:

Never hardcode API keys - Use environment variables or a .env file, even for temporary code.

Set up billing alerts - Google Cloud (and other providers) let you set up alerts for unexpected charges.

Check all linked emails - Don’t ignore notifications, even if they’re sent to secondary accounts.

Don’t rely solely on GitHub’s secret scanning - It’s useful, but renaming variables can bypass it.

This happened while I was experimenting with "vibe coding" (letting AI generate code quickly), but I realized too late that human oversight is still crucial, especially for security.

Hope this helps someone avoid the same costly mistake!

TL;DR: Hard-coded an API key in a deprecated script, key leaked, and I got charged $300. Always use environment variables and set up billing alerts!

Some background on me: I've reached a point where I quit my job of 11 years without notice due to sheer burnout. Shortly after I was hospitalized for a bit.

I'm trying to recover, getting back into healthy routines.

I'm also suffering quite a bit of imposter syndrome due to not having a 4 year degree.

I'm suffering from a lot of analysis paralysis trying to select a side project for a portfolio. Once I decide, I get another layer on how I'm going to implement it. And eventually it winds up feeling like I'm better off not doing any of them.

In my last job I was responsible for a mission critical service in the form of an apache module. Which I can attest is a rather hostile environment. So I'm pretty battle tested in the c/c++ arena.

In my spare time I've reveled in physically based rendering. So I've got enough trig & calc in my head to be dangerous.

My asks of HN:

- What are interviews like these days? How important is it to have a visable portfolio of working projects?

- How much of the AI hype is HN nerds nerding out about AI versus actually implementing AI, versus gluing AI apis together?

- How do you keep yourselves engaged with pet projects? My github is a field of projects 1/4 of the way completed before I lost steam on them.

I need some hope that future employment is possible.

Say I make blogs about linux stuffs. What would be the best way to monetize it? Affiliates? But affiliates require conversions. I am not sure my audience can pay high. I do not get huge volume of audience for adsense to work well.

If I want to sell something that I created to Nepalese, there is no easy way to integrate nepali payment options like eSewa etc. So, what should I do? I am seeking guidance? I have only 2,5 years of experience so freelancing will be tough. Videos creation is probably the best way but making videos is just not my thing. I can write good scripts in fields that I am well experienced in that is all.

Wouldn't git be simpler without stashes and tags?

Tags can be deleted and recreated, so they are just like branches and not immutable as some claim.

Same goes for stashes. They are commits which can't be pushed. Stashes could be implemented by creating a new branch and committing both with a generated name.

Am I missing something? Do both things provide more value than they add complexity/things to learn? :)